The MSP’s Essential Guide to Cybersecurity and Cyber Warfare in 2021
What You Need to Know in the Age of Nation-State Sponsored Hacking
Cyber warfare has been on the rise in recent years. The news has been inundated with ransomware attack after ransomware attack, and breach after breach hitting companies large and small. The amount of data any given company has is staggering, and combined with the fact many people reuse passwords (see here to learn how to really secure a password), a little access goes a long way. The move to working from home during the pandemic and hybrid environments have arguably exacerbated this (without better security mechanisms in place).
While in previous years we mainly saw individuals or small groups engaging in cyber warfare attacks, there’s been a serious growth in organization and backing as of late. The DHS has been raising alarms (PDF) about cyber-attacks for a decade. The DOD has been much more open about the state of affairs.
We’re at war digitally. The battle has grown from hackers of yore on an ideological crusade to nation-states looking to gain an advantage over enemies on a geopolitical chessboard. There are hacking groups involved, but more often than not they attack enemies (or perceived enemies) of their home nations. DarkSide, REvil, etc. focus on the United States and other Western powers while entirely eschewing the former Soviet Bloc. Whether any given breach is a deliberate act of warfare is arguable, but geopolitics play a role in these attacks. Either we’re dealing with state sponsored hacking or we’re dealing with privateers.
The news has been filled with recent attacks ranging from meat processing plants to pipelines to RMM products. Let’s break down some of these attacks to see what happened and how they impact smaller players such as MSPs.
The most recent major cyber warfare attack (as of writing) hit SolarWinds and Kaseya. JBS S.A., the world’s largest meat supplier, was hit about a month earlier. Less than a month before this major attack on JBS, Colonial Pipeline was hit as well causing a jump in gas prices due to a predicted shortage. SolarWinds has also been in and out of the news with various attacks since the end of last year. EA got hit as well but with a seemingly different motive. Large or small, businesses at all levels are vulnerable to cyber warfare attacks if they don’t stay secure at every layer from top to bottom.
These are the most major attacks, but there have been continuous breaches against all level of small, medium, and even large businesses with different bounties (from ransoms to intel) and levels of damage inflicted that haven’t made the news. The media is just continuously churning through various attacks and unable to address them all (I can’t even seem to get through editing this article before another attack occurs). These attacks are composed of a mix of ransomware and exfiltration which have caused waves in the economy.
RMM Hacks: SolarWinds and Kaseya
The SolarWinds hack from the end of 2020 (discussed below) has continued to have ramifications. Microsoft disclosed a new breach believed to be tied to Russia’s Foreign Intelligence Service which was linked to the SolarWinds hack. This attack hit the news right around the same time as the Kaseya hack which saw ransomware distributed through Kaseya’s VSA RMM by REvil (you’ll see them again with multiple attacks).
The SolarWinds hack is just the continuing fallout from the previous exploit, but the Kaseya hack involved new zero-day exploits (as well as older exploits as well). While this attack did not compromise The 20’s customers, it definitely had an impact waiting for the patch. These two attacks are differing types of supply chain attacks, leveraging a pieces of the pipeline in order to compromise someone further down the line.
The specifics aren’t entirely out for these attacks (though stay tuned for a postmortem on the VSA attack when the dust settles), but the message is clear: supply chain attacks, especially against MSPs, are on the rise and will continue to become more and more common. What is your organization doing to prevent your RMM tool from becoming your worst nightmare?
JBS had 9 of their beef plants in the US compromised. People were worried about meat prices skyrocketing like the earlier Colonial Pipeline hack did for gas prices in some areas. While the exact details of the attack haven’t been published (and probably won’t), it cost millions in ransomware money to get back to operating.
REvil is believed to be responsible per the FBI. While they’ve claimed they aren’t politically motivated, attacking JBS disrupts the food supply and isn’t the first high profile attack this year. If the attacks aren’t political, they are at least having political implications.
The exact details have not been released, but at the very least the downtime from this attack has been expensive. Backup systems were not affected which allowed faster recovery. There is a purported link between REvil and QBot for this specific attack.
Proper backups are what saved them from experiencing the same issues as Colonial Pipeline or other victims of ransomware. A cyber warfare attack is going to cost time and effort no matter what, but what are you doing for yourself and your clients to ensure it’s minimal? Remediation is one of the biggest deciding factors in how successful a ransomware attack is.
The Colonial Pipeline hack took place in early May, about a month before the JBS attack. This attack managed to cripple a major pipeline along the East Coast of the US using ransomware. A lot of these attacks rely on phishing or similar techniques to breach a network. The exact mechanism of its intrusion has not been released at present.
Colonial Pipeline ended up paying around $4.4 million a day in Bitcoin to their attackers. The DOJ was able to recover about $2.3 million from DarkSide which disbanded shortly after the attack. The attack caused a flux in gasoline prices and created localized, artificial shortages from the fear-mongering of the media around this attack. DarkSide has claimed that this attack was not politically motivated, but it seems a bit coincidental with all of the infrastructure attacks we’ve seen. Even if the attack itself was not politically motivated, it had devastating geopolitical implications.
The cost of downtime is expensive, enough that a major company was willing to bleed a massive ransom to keep going. They could afford to do it, but what about your business or the businesses you support? What infrastructure supports your or your client’s business and what infrastructure do you impact?
SolarWinds has been in and out of the news from the sheer fallout from the attacks. They got hacked, and they got hacked bad. Their Orion remote IT software suffered a software supply-chain compromise most likely, which allowed breaches into companies such as Microsoft and VMWare, and even into the federal government. The attack was so bad that the US is readying sanctions against Russia which has helped facilitate said attack.
The attack caused a massive amount of downtime, compromised certain companies’ data, and trojanized the general software platform. MSP attacks have gotten more and more prevalent in recent years. A single attack doesn’t just hurt one company, it allows ingress into a multitude of companies, more often than not with the equivalent of a rootkit on each agent (each RMM agent).
SolarWinds is an attractive target to nation-state level attacks and enemies of the US due to its access and its bounty. The more clients, the more attractive a specific MSP, service, or platform becomes. SolarWinds was a victim of their own success to the point that hackers were willing to take a slow, but extremely safe path to compromise the environment.
Hackers leveraged Slack in order to compromise EA Games. They managed to get the source code for FIFA 21 as well as the Frostbite engine. The tools and source code themselves are worth a lot, but so are the potential hacks built on them.
This attack leveraged technical social engineering. By finding a list of people at the company from a public source, crossing it with a stolen token into Slack, and using social engineering, hackers managed to breach EA and compromise it in a way which is going to convolute their process for years.
This breach was more focused on exfiltrating data to ransom (or even just sell depending). We really don’t know one way or another, but either way, the data has ended up on the market for sale. The attack cost the attackers around $10 for a stolen cookie (or set of cookies) and a lot of work and infiltration in order to pull off a social engineering attack.
The cost of the attack itself was trivial, the deciding factor was internal processes which allowed the attack to work. What are you doing to lock down your internal and external processes for your MSP and your clients’ businesses? All it takes is one weak link in the chain, human or technical to bring everything crashing down without the right safeguards. How are you verifying who you’re chatting with in an internal company chat? What are you doing to make sure people on the phone are who they say they are?
Hacking has grown into both a business and a way to damage a nation’s infrastructure and security. Nation-state level attacks are on the rise and they don’t need to hit government targets to do serious damage. Taking out a business can do as much damage (or even more) than taking out a government institution.
Malware has been getting more advanced. The arms race has gotten complex enough that individuals just can’t cut it. Individuals joined small teams which have grown into an entire ecosystem targeting different pieces of the attack pipeline. Teams can be the size of businesses and still work with multiple other teams to pull off an attack, or to create a way to profit from the spoils of a successful attack (e.g. fencing data).
These efforts finance the teams themselves via ransoms or paid hits (among other potential monetization pathways), but also serve nation-state aims and goals (like privateering). Groups like DarkSide and REvil do not target anyone in their own region. The government turns a blind eye to their actions, but also more than likely funds them or provides targets in some way. Patriotism can bleed into profiteering.
Russia, China, North Korea, etc. all continue to be digital threats to the United States and allies. The wargames are escalating and the stakes are getting higher and higher in the era of digital conflict. These nations have blurred the line between crime and war with the nature of their attacks. As the attacks become more profitable and tensions rise, the attacks are going to get more brutal and more surgical in their scope and their damage.
As an MSP, the business implications are dire. You are potentially a point of ingress into multiple networks for multiple businesses which means a single compromise can damage both you and your clients. An RMM like SolarWinds or ConnectWise can offer an easy way into systems with privileged access and limited oversight (depending on the methodology and administration of the tools available). Tricks like fileless malware can enable a simple script to compromise sites and elude security measures. Security isn’t just nice to have, it’s essential as the arms race takes off.
Downtime is expensive for you and your clients. Just because it isn’t your fault a client went down, doesn’t mean it won’t impact you economically if they crater. When you work in a B2B service, you are tied to your client. Their success is your success, and their failure can become your failure if you are not careful. What are you doing to prevent compromises and cyber warfare attacks?
A leaky API can become weaponized as easily as an errant password gotten from social engineering. The marriage of social engineering and novel technical exploits resulted in us developing our own patent pending security tool, ID 20/20.
As our lives become increasingly dependent and entwined with digital services and processes, our well-being becomes increasingly reliant on each link in the chain functioning optimally. Each minor fracturing of process ends up weaponized as a way to break a business. A breach in a service means an inability to function or a loss of control of intellectual property, even if the attack doesn’t necessarily spread to a full compromise. Vulnerability on this front can damage your reputation, dull your competitive edge, or worse.
As geopolitical relationships are strained and economies increasingly compete for limited resources, we’re going to see this is just the beginning for cyber warfare. Nation-state actors see cyber-attacks as not just a way to damage a country, but a way to destabilize industries and finance further operations. A bomb dropped is an act of war (and costly to boot), but a pipeline or meat packing plant breached is the result of bad actors until proven otherwise (with the bonus of sowing discontent and damaging infrastructure).
MSPs are going to become larger targets for cyber warfare as their value as an easier way into many companies becomes more attractive. RMM tools offer a near unlimited level of access to the machines they manage, all available in one attractive location. What are you doing to prevent your convenience from becoming a point of ingress for threat actors? How are you keeping your clients safe and mitigating politically motivated attacks which can destroy them?
We use and provide a layered approach to security to reduce the impact of any given action by a threat actor. No layer is perfect or anywhere close (anyone who tells you differently is lying), but the chances of getting in and doing damage decrease for each hurdle in the way. We combine that with alerting and smart solutions to prevent the spread of destruction or ingress to limit the damage done. We missed the latest round of attacks, and not just for luck. Add in backups and you can quickly roll with the punches. A nation-state actor that wants in will probably get in with enough resources, but you need to ensure that if (or when) they do, that they get as little as possible and that it is as inconvenient as possible.
Contact us for more information about what The 20 can do for your MSP to help ready you for growing cyber threats.